Re: [PATCH net-next v24 09/23] ovpn: implement packet processing

From: Antonio Quartulli
Date: Wed Apr 02 2025 - 08:08:35 EST

Next message: Antonio Quartulli: "Re: [PATCH net-next v24 11/23] ovpn: implement TCP transport"
Previous message: Nishanth Menon: "Re: [PATCH v2 1/1] soc: ti: PRUSS OCP configuration"
In reply to: Sabrina Dubroca: "Re: [PATCH net-next v24 09/23] ovpn: implement packet processing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/04/2025 11:59, Sabrina Dubroca wrote:

2025-03-18, 02:40:44 +0100, Antonio Quartulli wrote:

+/* this swap is not atomic, but there will be a very short time frame where the
+ * old_secondary key won't be available. This should not be a big deal as most
+ * likely both peers are already using the new primary at this point.
+ */

This is not the case anymore.

Oh right - this comment can go.

+void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs)
+{
+ const struct ovpn_crypto_key_slot *old_primary, *old_secondary;
+ u8 idx;
+
+ spin_lock_bh(&cs->lock);
+ idx = cs->primary_idx;
+ old_primary = rcu_dereference_protected(cs->slots[idx],
+ lockdep_is_held(&cs->lock));
+ old_secondary = rcu_dereference_protected(cs->slots[!idx],
+ lockdep_is_held(&cs->lock));
+ /* perform real swap by switching the index of the primary key */
+ WRITE_ONCE(cs->primary_idx, !cs->primary_idx);
+
+ pr_debug("key swapped: (old primary) %d <-> (new primary) %d\n",
+ old_primary ? old_primary->key_id : -1,
+ old_secondary ? old_secondary->key_id : -1);
+
+ spin_unlock_bh(&cs->lock);
+}

[...]

+int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
+ struct sk_buff *skb)
+{

[...]

+ /* encrypt it */
+ return crypto_aead_encrypt(req);
+free_iv:
+ kfree(ovpn_skb_cb(skb)->iv);
+ ovpn_skb_cb(skb)->iv = NULL;
+free_sg:
+ kfree(ovpn_skb_cb(skb)->sg);
+ ovpn_skb_cb(skb)->sg = NULL;

nit: Those shouldn't really be needed, since we'll call
ovpn_encrypt_post that will take care of iv/sg/req. But it's fine if
you leave them.

Right!
This code flow was re-arranged a couple of times, and I have missed that we now always hit those free()s in post().

I prefer to drop them and put a comment indicating that cleanup happens in post().

(same thing on the decrypt side)

Yep

+ return ret;
+}

[...]

+/**
+ * ovpn_key_id_from_skb - extract key ID from the skb head
+ * @skb: the packet to extract the key ID code from
+ *
+ * Note: this function assumes that the skb head was pulled enough
+ * to access the first byte.

nit: another "first byte" that I missed previously :(

ACK!

+ *
+ * Return: the key ID
+ */
+static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb)
+{
+ u32 opcode = be32_to_cpu(*(__be32 *)skb->data);
+
+ return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode);
+}

Regards,

--
Antonio Quartulli
OpenVPN Inc.

Next message: Antonio Quartulli: "Re: [PATCH net-next v24 11/23] ovpn: implement TCP transport"
Previous message: Nishanth Menon: "Re: [PATCH v2 1/1] soc: ti: PRUSS OCP configuration"
In reply to: Sabrina Dubroca: "Re: [PATCH net-next v24 09/23] ovpn: implement packet processing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]